I am, by no means, a security expert. But this much I do know: that security is, and will always be, a moving target. So I was very interested to read several blog entries talking about this week's Black Hat Europe conference in Barcelona, where one of the presentations talked about security issues with wireless sensor networks. Specifically, how to compromise them.
Thanassis Giannetsos presented a paper on weaponizing wireless networks, detailing his and his colleagues' software tool that enables passive monitoring of, and attacks on, a variety of wireless sensor networks. (Andy Greenberg, blogging for Forbes, has an excellent piece on this that includes a link to the full text of Giannetsos' paper.) Put simply, considering the growth of interest in, and implementation of, wireless sensor networks and considering that these technologies are new and complex, there will be vulnerabilities. Researchers such as Giannetsos and his colleagues Tassos Dimitriou and Neeli Prasad spend their time trying to find these vulnerabilities because someone out there is going to do so—whether they're criminals, crazies, industrial spies, or just overly curious—so the best thing to do is to find them first and patch them ASAP.
Which is a very good idea because of the plans underway to use large sensor networks to monitor structures, the environment, all kinds of machinery, and the Smart Grid, to name but four. Security is, in fact, one of the focus areas of the Smart Grid project, considered from the beginning, rather than buckled on as an afterthought. The last thing anyone wants is unauthorized tampering with any of these systems.
However, people who build these systems aren't necessarily the best ones to figure out how to break them. In the movie Force 10 from Navarone, an American military team has been sent to blow up a bridge in Czechoslovakia during World War II. Barnsby, the leader of the American team, is arguing with Miller, an English demolition expert, as they examine the bridge (held by the Germans) from a safe distance:
Barnsby: Now, look. Our experts have been studying that bridge for weeks, and they say it'll blow. I don't know where you learned your job, but I'm talking about the best construction engineers in the business!
Miller: Yes. Well, they're probably experts at building things, whereas I'm an expert at blowing them up, and you can take it from me that one would need a good eight hours to make a decent job on that bridge.
Or, as applied to security issues, I'd suggest reading Bruce Schneier's essay in Wired, "Inside the Twisted Mind of the Security Professional,". A person with a security mindset looks at a situation and figures out how to break it, examines how a given technology or process can fail and how to make it fail. While the creators of these networks are trying hard to make them as secure as possible, I find it very heartening to know that there are also clever, twisty-minded researchers out there, working to identify—and patch—the weak spots that they've missed.